VPS to PFSENSE VPN - Wireguard?

Looking for any input here, I am looking to make a site-to-site connection between a Debian VPS at Linode, and my home PFSENSE Firewall

Last time I did something like this was using OpenVPN which worked, but had performance limitations. I also had PFSENSE at both sites, not just a VPS/VM

My goal is to have secure management of the VPS without opening ports to the world, and also to be able to remotely access services at home via the VPS

I have redundant WAN at home, and the second connection is T-Mobile 5G Home Internet which is CGNAT. In the event that my main connection is down, I want some things to just work as normal. So assuming the VPS is the server side of the VPN connection, and PFSENSE is the client side, it should work well

Should I move forward with Wireguard? I’ve heard a lot about tailscale, but I’m not sure what it gets me over just a Wireguard tunnel

I’m a FreeBSD user so I’m presuming that the experience on pfsense is very similar.

Wireguard works fine and will do what you’re asking about just fine, the only “downside” is that it cannot refresh domain names without destorying the interface (reloading it). There also a DCO module for OpenVPN in the works, ⚙ D34340 ovpn: Introduce OpenVPN DCO support

There is no point in using tailscale with only 2 physical locations afaik. Why set up a theoretical mesh-based infrastructure for only 2 sites? And you would have to self-host the control plane being Headscale or pay for the service that you aren’t even actually utilizing. Unnecessary all around. And if you are using 2 WAN from your residence but your VPS has a single static IP then I would definitely put the Wireguard server on the VPS and make the home router a client. Otherwise you will need at least one DDNS. If the VPS is looking for either public IP they may change and if you have DDNS and one goes down you will need to DDNS them both. Very messy.

Also don’t know what the above guy is mentioning OpenVPN for. Wireguard is the way.

There’s quite a bit of difference in terms of functionality between OpenVPN and Wireguard so dismissing one over another is ignorant at best without looking at the use case.


Why would you use OpenVPN over Wireguard?

tcp support, http proxying, much more flexible dns/routing support, better support for dynamic hosts to mention a few things.

1 Like

I will not say which vpn is better to use, I will leave it to others.

But if you really don’t want to open ports on both sides, both ends have to connect themselves to the hub… which is something like tailscale / zerotier / nebula.

Never mind that only two hosts, what matters is the fact that communications between the hosts are bridged at a central point without having to open the ports on either side.

Conventional setup only requires opening ports on one side

1 Like

Nobody says otherwise.

1 Like

Late to this party. I love OpenVPN, but getting it set up properly can be… nightmarish.
WireGuard works a dream, and so long as you’re not doing anything too complicated routing-wise, it’s probably the way to go.

I ended up using WireGuard, pretty easy config and working well so far. Getting the full 1G/1G out of my connection

1G point-to-point encryption? What cpu and how much is burdened by this traffic.

My pfsense box has a Pentium Gold G5500, and the VPS reports AMD EPYC 7542, but I only get 1 core of that of course! Latency is pretty low, 4ms

Realistically I will never utilize this speed

What do you mean what is burdened?

In the past, when traffic was encrypted at the 1G level, it was a stress for the cpu, today it is a walk in the park, apparently… :wink:

By curiosity, where do you end the second end point for this tunnel? Some commercial vpn or something private? It must be rather good since you can generate up to 1Gb/s of traffic with no problem.

A few years ago I tested some commercial vpn on the market, it was hard to find something that would give more than 200-300Mb/s

One end is my VPS, other end is my pfsense box at home. Just a point to point tunnel

I subscribe to Mullvad as a VPN provider for privacy, and I can get 1Gb/s over that no problem too with Wireguard. Before they all used OpenVPN which seemed to have that 200-300 limit

1 Like